minifilter Microsoft validation question

Hello!

I would like to know if a minifilter which registers preoperation callback
routines for all available major function codes in which it completes all
the I/O operations would pass Microsoft certification phase or would be
considered some kind of dangerous software.

Thank you very much!


Cristian

Why would you think this would not pass certification, assuming you are not doing something else to mess up the cert? This is basically what the Minispy sample does.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Cristian Darau xxxxx@lists.osr.com
Sent: Wednesday, September 13, 2017 1:21 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] minifilter Microsoft validation question

Hello!

I would like to know if a minifilter which registers preoperation callback routines for all available major function codes in which it completes all the I/O operations would pass Microsoft certification phase or would be considered some kind of dangerous software.

Thank you very much!



Cristian
— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

The minispy passes all the I/O operations down the minifilter driver instance stack, whereas I was thinking about a minifilter that completes all the I/O operations in the preoperationcallback routine.

The reason I am suspicious about this not getting thought certification is that such a minifilter would not allow any I/O whatsoever go down below it. Is this behaviour permitted by Microsoft?

I think the issue would more be specifically HOW the MiniFilter RESPONDS than where it completes the requests.

Your filter won’t pass if you fail every request, that’s for sure.

The MiniFilter tests are pretty darn comprehensive. For example, the test will create a file of a given size, and then query the file size. The returned size has to match the expected value.

Peter
OSR
@OSRDrivers

Thank you for the answer.

I was thinking something like mirroring every operation into a corresponding db query. So not failing, not succeeding every request. This would be consistent so I guess that generic tests (as you have described one) would all pass.

But still, if Microsoft certification phase would look at if the minifilter in question ever allows an I/O to pass below it, and consider this test as a given for every minifilter, than a minifilter as that described above would fail the validation.

Now… there are people who are a lot more knowledgeable about this stuff than me. But I am not aware of any requirement to actually ACCESS the underlying media.

Having said that, let me warn you that the tests can be VERY specific to the point of sometimes being annoying. For example, the tests “know” if you’re filtering an NTFS volume, and will make assumptions about how NTFS will act. If you can satisfy all those assumptions, I’d say you’d be good to go.

I’m hoping somebody else, either from OSR or the community, who has more experience on this than I do, will weigh in here.

Peter
OSR
@OSRDrivers

> The reason I am suspicious about this not getting thought certification is

that such a minifilter would
not allow any I/O whatsoever go down below it. Is this behaviour permitted
by Microsoft?

It actually sounds as if you are implementing a file system - just using
minifilter to do the work. I can see the attraction.

There is no reason why your filter shouldn’t pass the tests - eventually.
As Peter says, you have to make it look like everything else, and given that
I haven’t seen you in here before (forgive me if I don’t recognise your
name) I’ll give the the statutory warning that this could take calendar
years and 10s of many months.

You are *certainly* going to have to have implemented the cache manager
interfaces (pretty much like an Isolate filter would). Apart from the fact
that things like Notepad won’t work there are a whole series of tests which
exercise that very fully (causing reads and write via the cache, around the
cache and with pagefaults).

You may well need to have some careful consideration as to how you respond
to the FSCTLs which query for the layout of the file on disk. I’m not aware
of any test which actually goes around the file system to check (although
there are plenty of other “tools” that do so).

Other thoughts. You are going to have to make sure that you implement
directory oplocks too,. I am not sure what the state of those tests are as
of the most recent builds but there is a huge, very extensive (and
thoroughly useful, if naggingly annoying) test which just tests that.

Oh yea, and reparse points (although ISTR you can turn what off in the
Volume Query Response and recent versions of the tests do test to respect
that).

If none of the above frightens you then you should be OK (eventually). If
anything has you scratching your head you may need to look very closely (and
soon) at these tests.

/R